You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@any23.apache.org by "Lewis John McGibbney (Jira)" <ji...@apache.org> on 2022/01/05 19:32:00 UTC

[jira] [Resolved] (ANY23-553) Document MathUtils#md5 to warn that the weak hash algorithm is not to be used in a sensitive context

     [ https://issues.apache.org/jira/browse/ANY23-553?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Lewis John McGibbney resolved ANY23-553.
----------------------------------------
    Resolution: Fixed

> Document MathUtils#md5 to warn that the weak hash algorithm is not to be used in a sensitive context
> ----------------------------------------------------------------------------------------------------
>
>                 Key: ANY23-553
>                 URL: https://issues.apache.org/jira/browse/ANY23-553
>             Project: Apache Any23
>          Issue Type: Improvement
>          Components: core, security
>    Affects Versions: 2.6
>            Reporter: Lewis John McGibbney
>            Assignee: Lewis John McGibbney
>            Priority: Major
>             Fix For: 2.7
>
>
> Sonarcloud.io analysis has [identified a potential security vulnerability|https://sonarcloud.io/project/security_hotspots?id=apache_any23&hotspots=AX4hXXA7bH-PGMU5iLkk] with [MathUtils#md5|https://github.com/apache/any23/blob/master/core/src/main/java/org/apache/any23/util/MathUtils.java#L35-L49].
> I have reviewed usage of this method in the Any23 codebase and found that it is used in one place for one purpose. It is only used in [RDFUtils#getBNode()|https://github.com/apache/any23/blob/master/core/src/main/java/org/apache/any23/rdf/RDFUtils.java#L375-L386]. 
> To determine whether there is a risk we should ask three questions
> If the hashed value is used in a security context like:
> # User-password storage.
> # Security token generation (used to confirm e-mail when registering on a website, reset password, etc …).
> # To compute some message integrity.
> There is a risk if you answered yes to any of those questions.
> I determine that all answers are no.
> I therefore propose to augment the Javadoc with a warning and provide a unit test to improve the test coverage.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)